My IP blocked due to ProjectHoneyPot. How to resolve?


#1

I have a VPS with dedicated IP address in the UK. I use it to host a static website and email, and to fetch RSS feeds. Some of those RSS feeds are getting blocked by cloudflare. Doing the CAPTCHA to get around it would be inconvenient (I guess I’d have to set up Xvnc or a tunnel to use a browser). Server is Debian 9 and is up to date and I have run chkrootkit and lynis.

I already have a monitor set up in ProjectHoneyPot from months back when I had the same problem. That monitor reports the IP as clean, but actually checking the same IP from their front page it comes up with a hit 2 days ago. So that inconsistency is a bit rubbish. As I understand it, a hit on ProjectHoneyPot means that someone somewhere has sent spam with my IP address in it. It doesn’t necessarily mean that my server is compromised, it just means that some idiot out there has my IP address in his spam scripts.

Really CloudFlare has way too much power to just be banning IPs without any transparency about why. The excuse that it is the site owner who enabled the banning doesn’t really cut it. I should be able to request the trail of evidence, so that if there is a problem on my server, I can fix it. ProjectHoneyPot itself seems dubious because it seems like a malicious actor could DoS my IP’s access to cloudflare-hosted sites by just sending out spam mentioning my IP address. I’ve already whitelisted my IP once with ProjectHoneyPot but the option doesn’t seem to be available any more.

If there is an issue with my server I’d like to fix it, but having done various scans and so on I can’t see any problem. So the only option left seems to be to try to get a tunnel or proxy set up to do the CAPTCHAs. But really this is a pretty poor situation. Is there anything else I can do?


How long after being Whitelistet on Honeypod until no reCAPTCHA
#2

Best option would be to contact cloudflare about the issue, login to Cloudflare and then contact Cloudflare Support. and they can look into your IP address’s reputation.

Since you’re using a VPS, it’s likely a user before you using the same VPS provider had your IP address and used it for spam and got it on ProjectHoneyPot/other IP blacklists.

It doesn’t necessarily mean that my server is compromised, it just means that some idiot out there has my IP address in his spam scripts.

it seems like a malicious actor could DoS my IP’s access to cloudflare-hosted sites by just sending out spam mentioning my IP address

Note that IP addresses cannot be faked, so your server might be compromised or someone incorrectly reported your IP to project honeypot (I’m not familiar with how they collect their data). It would still be best to look at any listen ports open (netstat -l) and audit your access logs for SSRF/injection attacks.

Some of those RSS feeds are getting blocked by Cloudflare.

In general site hosts should have these RSS feeds properly set up in Cloudflare to “security level: low/essentially off” and cached, however, most don’t properly configure this or care so it ends up using their default security level, which is either high or “I’m under attack” and will block most automated scripts or IPs with even the smallest level of suspicious behavior.


#3

Thanks, I checked those things and it still all looks fine. I know IPs can’t be faked, but as I understand it ProjectHoneyPot triggers on someone mentioning your IP address in a spam, implying that that IP address must be hosting some malware. That’s when it could cause false positives, because it assumes that spammers don’t make mistakes.

I will write to cloudflare support. Thanks again for the suggestions.


#4

No response from the support E-mail address, not even a ticket number. I previously had a positive view of CloudFlare from their Rust and Go involvement, but they can’t act like an unaccountable judge and jury and block people with no way to resolve it. That will just give a bad reputation in the end.

My suggestions:

  • Make the CAPTCHA page give access to full details of the bad behaviour detected for the IP address, i.e. dates, types of activity, port numbers, etc etc. That way their decision to block can be fully justified if challenged. (Right now my server looks 100% clean but still it is being blocked.)

  • Don’t rely on informal volunteer-led stuff like ProjectHoneyPot without double-checking the results, because it seems likely that it can be gamed to create a DoS attack

  • Warn in the web config UI that there may be false positives, and that genuine honest users might get blocked, if the webmaster chooses the more aggressive settings – like a big red flashing message so that they can’t miss it

When I get time I will install a http proxy so that I can do the CAPTCHA and see if that helps. (And then straight away uninstall it, because I don’t want more security risks than necessary on my server.)


#5

Okay, I’ve found the support section in their main site (for customers) and sent a message through that. Let’s see if I have more luck that way.


#6

I got a standard template reply. I cannot recommend CloudFlare to anyone when they have this attitude. Just standard mega-corp we-don’t-care-so-long-as-the-money-rolls-in service. CloudFlare, you can do better!!!

There has been a number of Security events relating to this IP address, which has caused you to hit bad reputation. Please review your network and confirm that you have no infected devices. Once that has been confirmed, the IP reputation will naturally improve.

If for any reason the IP reputation score does increase again, the likelihood is that you still have something which is infected on your infrastructure.

Often this is caused by:

Computer/IoT device infected with malware or some kind of virus

Scripts or bots (e.g. scrapers) carrying out automated tasks across sites.


#7

If you don’t mind changing your IP I suggest to change your IP by getting a new dedicated IP and attaching it to the VPS instance (or even a new instance to start from a fresh slate). Check the new IP first too. Depending on the VPS provider good ones will normally wait a few months before recycling IP addresses so the likelihood of a bad IP is very low. If the reputation score of the new IP also increases than you are doing something very wrong.


#8

What happened to innocent until proven guilty? I’m running a really minimal server. No PHP, no wordpress, no nothing. I’m intentionally avoiding anything risky. I’ve checked my logs, run scans, etc. I just double-checked that there were no extra files being served over HTTP, and that all the existing ones had the right checksums. Why should I change my IP and accept extra cost/hassle/downtime? I’ve had this IP for years and years. If they can provide evidence, then I will fix it, but right now I think this is a false positive.

I’ve asked the support person to give me specific information about the “Security Events”, and to escalate it if they don’t have enough access to get me that information. CloudFlare can’t just cut off people’s access to parts of the web without any accountability.


#9

It is innocent until proven guilty, and your IP was proven guilty in the past. Your VPS provider/host likely rolled over the IP too quickly for its bad IP Reputation to fizzle out, and that’s the fault of your host.


#10

If I’m guilty, where’s the proof? (I’ve had this IP address for years.)

As I say, with no evidence, I have to suppose that this is a false positive. I don’t think CloudFlare are verifying that an IP address is really hosting malware before blocking it (in the case of ProjectHoneyPot). Some fuzzy “reputation” score based on hearsay is not good enough. It should be based on hard data. And they should be able to provide that evidence when challenged (or provide it automatically through a link).

I’ve just gone over my iptables firewall configuration again to check that, and that’s all fine. All ports except the ones I need are blocked, and there’s a 4-strikes ssh port rule. The server sends me its process list every night to check. Apart from package updates, it has been running this way for years. This isn’t some server that’s been left wide open and unattended for hackers to take over. I’ve been maintaining one or more internet servers for more than 20 years, so I do have at least half a clue. Who knows, I may have made a mistake somewhere, despite checking – but really there is nothing suspicious that I can see AT ALL on my server.


#11

Hi @user269 I checked the IP you sent to the support team and I don’t see it listed on Project Honeypot. From what I can see, the captcha challenge is not related to honeypot. You can double-check my work by searching for your IP here: https://www.projecthoneypot.org/search_ip.php. If you do find your IP, follow the instructions on Project Honeypot to have it removed from their database (if the IP has stopped malicious behavior or if you believe this is in error).

Your server is presented a captcha when fetching the RSS; have you tried contacting the owner of the RSS service and ask them to whitelist (or at least not challenge) your IP?


#12

Thanks for responding. If I check ProjectHoneyPot then it reports:

First Bad Host Appearance approximately 5 months, 4 weeks ago
Last Bad Host Appearance within 1 week
Bad Host Appearances 42 appearance(s) in spam e-mail or spam post urls

It’s already white-listed (W next to IP). But I can try whitelisting it again.

Everyone is suggesting workarounds (get a new IP, contact the website owner, whitelist on ProjectHoneyPot), but surely there is a problem with the blocking mechanism if it is giving false positives and not verifying that malware is actually being hosted on the site? (or that the site really has an exploitable weakness)

Anyway, thanks for responding. I will contact the RSS website owners.


#13

As you can see the reasoning is not regarding a website hosting malware. The reasoning states e-mail span or POST url span. This happens if you’re running a mail/SMTP server or you’re making bad requests via some automated vulnerability scanner or script. Not sure where to go from here, I’m sure you’re not sending spam personally, so see if there are any rogue python scripts, docker containers, or possible arachni workers running on your server.


#14

It says appearances IN spam E-mail or spam post URLs. I understood that to mean links within those posts. So either those links are to malware (which I’m sure I’m not hosting), or I guess someone might be unhelpfully spamming links to a genuine page on my website (but why? it’s just a personal non-commercial site). That would mean someone effectively doing a DoS attack against my IP address, using ProjectHoneyPot and CloudFlare’s reputation score as intermediaries. I’ve written on ProjectHoneyPot’s board to see if that is a viable attack vector.

If what they’re trying to say is that someone is sending E-mails from my server, or posting stuff over HTTP from my server, that’s a different question. I’m not running an open relay, nor docker, and there have been no suspicious scripts running. I’m not doing any scraping or crawling myself. SSH auth logs are clean.

I was running OpenVPN occasionally with a 2048-bit shared secret key. If that key was leaked by the software on the client machine (a virus-scanned Mac), I suppose that might have given someone a way through some of the time. I suppose OpenVPN is the most likely suspect right now if the problems on my machine, so I’ve uninstalled it and I guess I’ll see if I get any more hits.

I still think that CloudFlare need to get hard evidence. There are lots of people on the ProjectHoneyPot board complaining, but no-one cares. There’s no way I’d let that software onto my server.


#15

For anyone else in the same situation, you can set up a SOCKS proxy to a remote Linux server by using ssh -D 54321 .... Then you can configure Firefox to use the SOCKS proxy on 127.0.0.1 port 54321. Then access all the affected URLs and resolve the CAPTCHAs. You can also visit ProjectHoneyPot, search for your IP address and whitelist yourself.

None of this really helps of course if there is still a problem on your server. If CloudFlare themselves just trust ProjectHoneyPot, then they need to put pressure on ProjectHoneyPot to make all the evidence gathered for an IP address available to the owner of the IP address. Otherwise how are we supposed to debug the problem? I still don’t know whether this is someone spamming links to my website or not. Assuming that the aim of ProjectHoneyPot is to get everyone to clear all their viruses and tighten up their server security, then providing full information is vital. Otherwise all that everyone has created is an unhelpful wall of unresponsive unaccountable bureaucracy.


#16

This topic was automatically closed after 14 days. New replies are no longer allowed.